Cloud access management is a relatively new science. Conventional approaches to privileged access and identity management are ineffective in today’s cloud-oriented DevSecOps environments. The principle of least privilege access still remains foundational, and traditional privileged access solutions can still deliver effective security in situations where development and operations are segregated and on-premises architecture predominates.
However when it comes to cloud access management, it is not enough to simply grant permanent standing privileges to a human or non-human user, even if they are limited to only those permissions needed to do their jobs. Especially now, when teams are dispersed and working remotely, credentials are proliferating in the cloud (outside of on-premises security protocols) and are more exposed to theft or abuse.
With DevSecOps teams now commonly working across many clouds, each with their own permission sets and usage models, we need to rethink how we manage cloud access management entirely, especially for privileged access. Let’s consider the individual issues that are preventing DevSecOps teams from easily securing access to cloud resources, and explore potential remedies to these challenges.
Data Point 1: Insufficient privilege management
The longstanding approach to cybersecurity in on-premises environments included ringfencing of users and assets—such as firewalls to keep out unwanted network traffic. Conversely, in multi cloud environments, it’s not possible to achieve effective cloud access management through ringfencing every application, resource, device, or user. Digital identity defines the new perimeter. The problem is this new identity-defined perimeter has made managing access privileges magnitudes more critical than ever before. In addition, the privileged access and identity management practices optimized for on-premises situations are ineffective in today’s cloud-oriented continuous integration and continuous delivery (CI/CD) DevSecOps environments.
Today’s just in time privileged access management platforms like Britive are designed to support temporary privilege grants that enable DevSecOps teams to maintain a Zero Standing Privilege (ZSP) security posture in a way that accelerates, not slows, the CI/CD development process. When dynamic permissioning (or privileging) platforms are integrated with existing security tools, such as user and entity behavioral analytics (UEBA) and advanced security information and event management (SIEM) engines, DevSecOps teams can gain deep visibility into cloud application events and access changes. When events occur, administrators can quickly act to protect critical information and cloud services from breaches.
Data Point 2: Attack surface sprawl
Companies today use hundreds or thousands of cloud services, and a typical DevSecOps operation can easily generate thousands of data access events every day. The result is that each human and machine user ends up having multiple identities and standing privilege sets sitting vulnerable to exploitation.
Recommendation:
Again, as with core security concerns, the automated granting and expiring of permissions—JIT privilege grants—is highly effective at minimizing attack surfaces. These JIT/ZSP solutions work on a Zero Trust model, which means no one and nothing is trusted with standing access to your cloud accounts and data. With JIT permissioning, elevated privileges can extend either for the duration of a session or task, or for a set amount of time. Once the task is complete, those elevated privileges are automatically revoked–all without sys-admin involvement. Where a user previously had standing access privileges potentially extending around the clock for months at a time, converting to JIT granting would compress that attack surface to several hours per month.
Further, JIT permissioning largely frees organizations from having to maintain and pay for both privileged and non-privileged accounts. Dynamic secrets generation – where a dynamic secret is generated on demand and is unique to a client, instead of a static secret being defined and shared ahead of time – also provides a better model for securing temporarily deployed services and features.
Data Point 3: Unmanaged privilege drift
User privileges tend to expand and change organically over time. This circumstance has long been recognized as a potential source of vulnerability in conventional privileged access solutions. In multi-cloud environments, privilege drift becomes exponentially more difficult to manage and keep consistent, and is far more likely to result in over-privileged users.
Recommendation:
Enforce least privilege access (LPA) by automating privilege right-sizing. Dynamic privilege granting enables organizations to automatically monitor and adjust privileges to ensure users have only the privileges needed to do their jobs. As such, security admins can quickly survey assigned privileges in order to identify “blind spots” such as over-privileged users and machine identities. With insight like this across clouds, it becomes possible—with security oversight—to remove privileges where they’re not needed and right size privileged access overall.
Data Point: 4: Lack of centralized control
Privileges differ from cloud service to service, necessitating learning each service separately and implementing privilege sets. Additionally, many DevSecOps organizations have had to rely on externally stored or hardcoded credentials—and end up struggling to manage privileges across a diversity of disconnected secure vaults.
Recommendation 1:
A more effective approach is to manage secrets through a central management solution, providing DevSecOps teams with real-time availability to all elements of secrets infrastructure across cloud and across secrets vaults, including certificates, keys, and tokens.
Recommendation 2:
Employing a unified cross cloud access management model makes it possible to manage privilege sets across multiple cloud services. Centralized provisioning automates privileging processes across all cloud resources, dramatically reducing the likelihood of errors that can place accounts and data at greater risk.
Just in time privileged access could solve cloud access management problems
DevOps and DevSecOps are still new and fast-evolving concepts within the wider computer science and cybersecurity universe. No doubt, DevOps has been wildly successful in accelerating automation and speeding time to market for innovative applications and business services. To date, however, security solutions providers have struggled with cloud access management. In other words, they have struggled to accelerate privileged access solutions that could secure the devices, data, and resources used by DevOps teams, especially in cross-cloud environments. Dynamic permissioning platforms using Just-In-Time (JIT) privilege grants and employing Zero Standing Privilege (ZSP) principles show great promise in solving these problems.
Read more in this downloadable guide: Six Best Practices for Managing & Securing Cloud Privileges
